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Abstract. We study non-interference based security in a dynamic set- 
ting, where the security policy may depend on the state of the sys- 
tem. More specifically, we 1. provide new definitions of dynamic non- 
interference security which conform to the intuitive notion of non- 
interference and give efficient algorithms to decide whether a given sys- 
tem is secure, and 2. obtain a characterization of secure systems using 
unwinding relations. Our new definitions are motivated by the fact that 
previous definitions show counter-intuitive behaviour, as we point out 
by exhibiting a system that is clearly insecure even though meeting the 
previous definition. We capture this deficiency by a precise study of con- 
sistency in dynamic policies. 

1 Introduction 

Non-interference |GM82IGM84j is a well-studied technique to formalize security 
of systems that contain trusted and untrusted components. A wide range of 
different definitions to capture different aspects of non-interference has been 
proposed |BDRS08j . see |vdMZ10] for a comparison of some of these notions. At 
the core of these definitions lies the idea that interference, or information flow, 
between different components should be restricted by a security policy, which 
fixes the pairs of agents that may interfere with each other. This leads to a 
notion of states that should be "indistinguishable" for an agent operating in the 
system; a system is secure if in these states, the agent indeed makes the same 
observations. 

The most basic noninterference policy consists of two agents (often also called 
security domains), H (high) and L (low), and allows interference only from L 
to H, written ds, L ^ H , but not from H to L, written H L. Intuitively, 
this expresses that H may "see" the actions of L, but L must not "see" actions 
performed by H. This property can both be seen as a secrecy property (in the 
case that H operates on sensitive data that L must not obtain any information 
about) and as an intrusion prevention property (if H is an untrusted component 
that should not have any influence on the remainder of the system) . 

Much of the noninterference literature considers policies as the above, or more 
generally, policies that are both transitive |Den76j (if an agent H may influence 
an agent D who in turn may influence another agent L, then direct information 



flow between H and L is permitted) as well as static — the policy cannot change 
during the runtime of a system. 

For many real-world examples, both of these properties are too restrictive. 
As a consequence, several generalizations have been studied: Intransitive nonin- 
terference |HY87] ■ has been proposed, which gives new semantics to intransitive 
policies: Their formalism, also called IP-security, can model that, in an extension 
of the above example, H may be allowed to influence L, but only if this influence 
"passes through" another agent D. Hence D can be used as a safeguard to con- 
trol and limit the influence that H has on other parts of the system. Intransitive 
policies are used to model declassification [MS04. . There is a rich literature on 
different notions of intransitive noninterference |HY87IRus92lvdM07| . 

Similarly, it is widely accepted that to model realistic systems, dynamic non- 
interference is crucial |BS09,ZM04fLes06] : Here the policy may change during 
the runtime of a system. This may happen by the addition or removal of users 
from a system, or a change of user's privileges. While much of the intransitive 
noninterference literature concerns state-observed systems, the only paper that 
we are aware of that studies dynamic noninterference in this setting is |Les06) . 



Writer Reader Admin 

flip(a;) { read(x) { denyWriteAccess(3;) { 

if {W >-> R) then x ■.= x ouput(a;) W R 

} } } 

Fig. 1. A distributed program for access control. 



An example. The system in Figure [T] captures a 
simple distributed program with procedures for 
reading and writing on a binary variable x and 
an admin who can restrict the write-access on 
that variable. The writer can flip the value of 
this variable, given that the policy allows him to 
interfere with the reader; the reader can always 
read the value of the variable. This distributed 
program is presented as a transition system in 
Figure (2] 

In our graphical notation, the transition func- 
tion is indicated with labelled edges between 
states, where an action w stands for a flip ac- 
tion and is performed by the writer W ^ action 
a stands for the deny write-access action and is 
performed by the admin A. The read action of 
the reader is omitted since the observation of the 
reader is always the value of the variable. Ac- 
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Fig. 2. The transition system 
of the program in Figure [ij 
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tions not indicated in the graphical representation loop in the current state. The 
policies are indicated in each state in the obvious way. 

The system is secure with respect to the definition in JLes06| However, the 
system is clearly insecure: The reader observes when a flip action modifies the 
value of the variable and can conclude whether the admin has performed the deny 
write-access action. However, the admin is never allowed to interfere with anyone, 
hence the traces (sequences of actions) aw and w should be indistinguishable for 
the reader. Since this is not the case, this system must be considered as insecure. 

An important point to observe in this example is that dynamic policies can be 
inconsistent in the following sense: The above policy explicitly allows information 
flow from to i? in the initial state. However, using this liberty by allowing 
R to observe the action w performed by W in the initial state by letting this 
action change i?'s observation from to 1 contradicts the policy, namely the 
requirement that A must not interfere with any other agent in the system. 

Surprisingly, if we would allow the writer to interfere with the reader in all 
four states, the system turns out to be insecure with respect to Leslie's definition, 
in contrast to the intuition that weakening the security requirements should not 
turn a secure system into an insecure system. Hence the example shows that the 
study of dynamic policies exhibits new and subtle issues, which we explore in 
this paper. 

Our results. In this paper, we develop a theory of dynamic noninterference which 
takes the above-mentioned issues into account. Our contributions are as follows: 

1. We provide new and natural definitions for dynamic noninterference, both 
for the transitive and for the intransitive setting. 

2. We give characterizations of policies that are consistent in the above sense. 

3. We provide characterizations of our definitions based on unwindings, which 
are a popular proof technique for interference-based security definitions. 

4. We study the complexity of determining whether a given system is secure 
with respect to a given policy. In the transitive case, this can be answered in 
nondeterministic logarithmic space (NL). For intransitive noninterference, 
the problem is fixed-parameter tractable with respect to the number of 
agents, and solvable in polynomial time of the number of agents is loga- 
rithmic in the state space. The general problem is NP-complete. 

Our results show significant differences between the transitive and the in- 
transitive case. For once, in the transitive case, the above-mentioned class of 
consistent policies coincides with uniform policies that have the natural prop- 
erty that each agent always knows (in a precise epistemic sense) the set of agents 
that may interfere with him. Hence in the transitive case, each policy is equiva- 
lent to one that is consistent and uniform. Moreover, security in the transitive 
case can be characterized with an unwinding relation, which immediately yields 
the above-mentioned complexity result. In the intransitive case, the situation is 



^ We will formally state and discuss the security definition from |Les06| in Section 
after introducing the necessary background. 
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more complicated: Again, every policy is equivalent to one which is consistent, 
but here, not necessarily to a uniform policy. We again obtain an unwinding- 
based security characterization, but this one requires computing exponentially 
many relations. However, if we restrict ourselves to uniform policies, we obtain 
simple unwindings which again lead to very efficient algorithms. Moreover, the 
class of uniform policies itself also has an unwinding-based characterization and 
hence can be verified efficiently. 

From our unwinding results in the dynamic setting, we obtain as a corollary 
an unwinding characterization of (static) IP-security. Prior to our results, only an 
unwinding that was sound, but not complete for IP-security was known |Rus92j . 
Our new unwinding immediately implies that (static) IP-security can be verified 
in nondeterministic logarithmic space, improving on the polynomial-time result 
obtained in [Evd MSWll^ . 

Our definitions of dynamic security are inspired by, and generalizations of, 
static IP-security. While there are valid arguments against IP-security in the 
static case jvdMOTj . these issues are orthogonal to the issues stemming from 
the dynamic setting. We therefore study the effects of dynamic policies in the 
framework of IP-security, which is technically simpler than e.g., TA-security 
defined in |vdM07j . 

The proofs for all our results can be found in the appendix. 

2 Preliminaries and Notation 

We work with the standard state-observed system model: A system is a finite 
automaton where each action belongs to a dedicated agent, and each agent has 
an observation in each state. 

Definition 2.1. A system is a 6-tuple M — (5, sq: ^7 step, obs, dom), where S 
is a finite set of states, sq S is the initial state, step: S x A ^ S is a 
transition function, obs : S x D ^ O is an observation function, where O is an 
arbitrary set of observations, and dom: A ^ D associates with each action an 
agent, where D is an arbitrary finite set of agents (or security domains). 

For a state s and an agent u, we usually write obs,((s) instead of obs(s,u). 
For a sequence a £ A* oi actions and a state s G S, we denote with s ■ a the 
state obtained when performing the sequence a starting in s, i.e., s • e = s, and 
s-aa = step(s-a, a). A local policy is a reflexive relation >—f<ZDxD.A dynamic 
policy is a family of local policies {>^s)ses, one for each state of the system. We 
also more intuitively talk about "edges" in the policy, where an edge is a single 
entry u >~>s v. A policy is static if the local policies >—*s are the same in all states, 
i.e., if the question whether u >—fs v does not depend on s. In this case, we only 
write u ^ V. We define the set it^ as the set of agents that may interfere with 
u in s, i.e., the set {v \ v u\- 

In our examples, we often identify states with the action sequences used to 
reach them from the initial state. For example, in the system shown in Figure [2j 
we denote the initial state with e, the bottom left state with a the upper right 
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state with w, and the bottom right state with wa. In each state of the system, 
we write the pohcy in that state as a graph. For example, in the system from 
Figure [2j we have W R, but W >Aa R- We only specify the observations of 
the agents insofar as they are relevant for the example, which in Figure [2] is only 
the observation of the agent R. 



2.1 Static noninterference 

A formulation of security for systems with a static policy was introduced by 
Goguen and Meseguer |GM82IGM84| . The intuition is that an agent u may only 
observe actions of agents that are allowed to interfere with u. In other words, if 
an agent v performs some action a and this agent v is not allowed to interfere 
with some agent u, i.e. w >A u, then whatever happened after this action a, the 
agent u should never be able to observe whether the action a has happened or 
not. For formalizing this intuition, an operator purge is defined, which removes 
all actions from a run, which are not permitted to observe by a specific agent. 

Definition 2.2. For any agent u D, a d A and a G A*, we define 

, , I a purge(Q!,u) i/dom(a) ^ u 
purge(e, 7i) — e, purge(aa,w) — 



j purge («,■«) 



otherwise 



A system is considered as secure if no agent can distiguish from its observation, 
if a specific run a or the "purged" run is performed. 

Definition 2.3 ( |GM82lGM84] ) . A system is P-secure if and only if for every 
u €z D, a £ A* , we have obs„(so • a) ~ obs.t((so ■ purge(Q;, u)) . 

P-security can also be characterized using unwindings. These are equivalence 
relations that characterize states that agents should not be able to distinguish. 
An unwinding consists of an equivalence relation on the states of the system for 
every agent. For P-security the following conditions were defined by Haigh and 
Young |HY87j . For every s,t £ S, a £ A: 

OC: (output consistency) If s ~„ t, then obs,i(s) = obsu(t). 
SC: (step consitency) If s ^„ t, then s ■ a ^„ t ■ a. 
LR: (left respect) If dom(a) >A u, then s ^„ s ■ a. 

These conditions characterize secure systems: 

Theorem 2.4 ( |HY87| . [Rus92] ) . A system is P-security if and only if for 
every u <E D, there exits a relation that satisfies OC, SC and LR. 

An attractive feature of unwinding-based characterizations of security notions 
is that they directly lead to an efficient verification procedure [EvdMSWll] . 
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2.2 Static Intransitive Noninterference 
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The notion of P-security is very restrictive on system witti a non-transitive policy. 
A relaxed notion of noninterference was proposed by Haigh and Young |HY87| . 
The intuition is that actions may transmit — or downgrade — information about 
actions performed earlier. If an agent H is permitted to interfere with D, 
{H >^ D) and if D is permitted to interfere with L, [D ^ i), but H must 
not directly interfere with L [H ^ L), then L is only allowed to observe that 
H has performed an action, if D performs an action after TJ's action. Hence D's 
action transmits iJ's action, and thus makes it permitted for L to observe it. It 
is not allowed that L observes Ws actions directly, without any action of D. 

As an example, consider the 
System in Figure [3j As usual, the 
action h belongs to the agent H , 
action d to agent D. It is obvious 
that agent L obtains some infor- 
mation about -ff's actions: When- 
ever agent L observes the value 2, 

it is clear that the action h was ^ig. 3. System with static policy 
performed. However, this event ^ D,D ^ L} 
only occurs when the h action has 
been transmitted to agent L by the 

action d performed by the downgrader D. Hence the system is secure with re- 
spect to intransitive noninterference. For the formal definition, we follow the 
presentation of Rushby |Rus92j . 

He considers the set of agents sources(ck, u) whose actions will be transmit- 
ted to agent u when the action sequence a is performed. It is inductively defined 
by sources(e,M) = {u\ and, for a £ A, a G A* if it exists v € sources(a,u) 
with dom(a) >— > v then 

sources(aa, u) = {dom(a)} U sources(Q:, u) , 
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and else 



sources(aQ!, u) = sources(Q!, u) 



This leads to the definition of an intransitive purge function: Analogously to P- 
security, an action a is purged from the sequence aa for agent u if dom(a) is not 
among the agents whose actions will be transmitted to u when aa is performed. 
This is inductively defined by ipurge(e, u) = e and for a Cz A and a G ^4* by 



ipurge(aa, u) 



{a ipurge(Q!,w) if dom(a) G sources(aa, u) 
ipurge(Q!,M) otherwise . 



The corresponding security definition is analog to the one of P-security. 

Definition 2.5 ( [HY87llRus92j ). A system is IP-secure iff for all u D, 

a G A* , we have obs„(so • a) = obs„(so • ipurge(a, u)) . 
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3 Dynamic Policies: Security for Transitive Policies 



3.1 Definition of dynamic information flow security 



We first give a new security definition wliicli generalizes P-security to the dy- 
namic case: We require that an action which is not observable for an agent u 
when it occurs does not have any influence on it's observation in the future. 

Definition 3.1. A system is dP-secure ij and only if for all u €z D, s £ S , a (z A 

and a Cz A* the following implication holds: 



If doin(a) 



then obs„(s • a) = obs„(s • aa) 



Figure |4] shows a dP-secure system. In con- 
trast, the system in Figure [2] is not dP-secure, 
since A >f^^ R, but obs/j(ait;) 7^ ohsii{w). 

Our security definition takes a different ap- 
proach than the definitions stated in Section [2] 
We assume a local point of view by only check- 
ing whether a single event is visible for an agent. 
Hence our definition might seem too weak. How- 
ever, it is easy to give a purge-based charac- 
terization of dP-security. For this, we define a 
dynamic purge function as follows — note that 
clearly, the function depends on the state in 
which the "purging" starts, since the policies de- 
pend on the state as well. 

Definition 3.2. For any uGD,s£S,a£A 
and a (z A* , we define dpurge(e, m, s) — e and, 
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Fig. 4. A dP-secure system 



dpurge(aQ!, u, s) = 



I a dpurge(a, u,s ■ a) if doin(a) > 
dpurge(Q!, u, s) otherwise 



Similarly to P-security (see Theorem 2.4), we can provide unwinding rela- 
tions. We adapt the requirements for P-security to the dynamic setting as follows: 
For an agent u G D, all states s,t E S and all a G A. 

OC^^: If s t, then obs,i(s) = obs,((t). 
SC^P: If s t, then s • a t • a. 
LR'^^: If dom(a) >As u, then s s • a. 



3.2 Characterizations of dynamic information flow 

Both, the dpurge-function and the unwinding relations can be used to charac- 
terize dP-security, which highlights the natural similarities to the static case. 
We note that in contrast to the static case, it is not sufficient to consider only 
action sequences that start in the initial state. 
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Theorem 3.3. Let M he a system with a dynamic policy (^s)sgs. Then the 
following are equivalent: 

1. The system Ad is dP-secure. 

2. For all u ^ D, s Cz S and all a, f3 € A* with dpurge(Q;, u, s) = 
dpurge(/3, u, s), we have that obs„(s • a) — obs„(s • 

3. For every agent u d D there exists an equivalence relation ^ S x S that 
satisfies the conditions OC^^ , SCf^ and LR'^^ . 

The benefit of unwinding relations is, that they lead directly to an efficient 
verification procedure. For verifying security, it is sufficient to compute for every 
u G D the smallest equivalence relation that satisfies LR'^p and SC^^ and check 
that the observation function obs„ is constant on every equivalence class. This 
can be done with nearly the same algorithm as in the static case, described 
in |EvdMSWll| . The above theorem directly implies that it can be decided in 
nondeterministic logarithmic space whether a system is dP-secure with respect 
to a given policy. 

3.3 Inconsistencies and Uniform Policies 

Dynamic policies can be inconsistent: An allowed interference u v may 
contradict a "forbidden" interference u' >As' v' in another state s' . Hence an 
edge in a policy does not explicitly allow that information may flow, but this 
permission is subject to consistency with other aspects of the policy. Thus an 
edge u V m the policy should be interpreted as "it is not explicitly forbidden 
that dom(a) interferes with u." For an example, again consider the system in 
Figure [2] Here, the policy in the initial state allows information flow from W to 
R. However, if R is allowed to observe VF's action in the initial state, then R 
would know that the system is in the initial state, and would also know that W 
has not performed an action. This is an information flow from A to R, which is 
prohibited by the policy. We now discuss a class of policies where this problem 
does not appear: A very simple structure of the policy is one where in all states 
which have to be indistinguishable for an agent the incoming edges of the local 
policy are the same. If a system has such a policy, an agent always knows what 
are its incoming edges, even the agent does not know the actual state of the 
system. Such policies will be denoted as uniform policies. 

Definition 3.4. Let M he a system with a dynamic policy {^s)ses- Then {>—>s 
)ses is uniform if for every uCzD,sCzS,aCzA and a Cz A* with dom(a) >/->s u, 
we have = u^^^. 

Surprisingly, it can be shown that uniform policies are sufficient in the fol- 
lowing sense: Every policy is equivalent to the largest uniform policy it contains. 
Intuitively, the reason for this is that if w u, but u is not supposed to "know" 
that this interference is allowed, then any actual information flow using this edge 
lets u notice that the edge was present — and hence allows u to distinguish the 
state s from a state s' with v >/-^s' u. 
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We show that for any system with an arbitrary pohcy, it is possible to give a 
uniform pohcy, such that the same system is dP-secure with the original policy 
iff the system is dP-secure with the uniform policy. 

Theorem 3.5. Let M be a system, and let {^s)seS &e a dynamic policy. Let 
(>—>'^)s^g be the largest uniform policy that is include^in {^s)s£S- Then M is 
dP-secure with respect to (^s)sgs */ ('^nd only if M is dP-secure with respect to 



We note that the policy in Theorem 3.5 can be obtained from 

(^s)ses by repeatedly removing edges v >—>s u from the policy whenever there 
is a state s', such that for -u, the states s and s' should be indistinguishable due 
to the definition of dP-security. 

Uniform policies have the following property: Every edge occuring in some 
state represents an information flow that is actually allowed; no edge contra- 
dicts the global policy. Another way to interpret this is that any information 
flow that is forbidden by the policy is directly forbidden via the absence of the 
corresponding edge. In that sense, such a policy is closed under logical deduc- 
tion. Uniform policies have several additional natural properties, for example 
the dpurge-function behaves very similarly to the static case: It suffices to verify 
action sequences that start in the initial state of the system and dpurge satis- 
fies a natural associativity condition on uniform policies. It also can be shown 
that for uniform policies, our security definition and the definition from |Les06) 
coincide. 



4 Transitive with downgrading over the time 



Before considering the general in- 
transitive case, we consider an 
interesting intermediate scenario. 
Consider a situation where in some 
state s, the agent H is not allowed 
to interfere with L, i.e., we have 
H >/^s L, but in some later state 
s • a, this interference is allowed, 
i.e., H ^s-a L. In the definition 
of dP-security, this only allows H 
to transmit to L information about 
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Fig. 5. Downgrading over the time 



actions that H performs in the state s ■ a. A slight relaxation of dP-security al- 
lows agent H to additionally transmit in the state s ■ a information about actions 
that H itself performed previously to the state s ■ a, e.g., in the state s. Hence 
this interpretation of dynamic non-interference allows an agent to transmit ac- 
tions that it has performed earlier. However, it is not allowed to transmit actions 
performed by other agents. 



if V : 



u according to (^L)ses, then also v u according to {^s)ses 
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The system in Figure [5] should be considered as secure, since the second h 
action transmits the first h action. This system is not dP-secure. 
This is captured by the following definition: 

Definition 4.1. A system is dotP-secure, if for all u € D, a A and a G A* : 
If dom(a) >As u and it does not exist 6 G A, /3,/3' e A* with a — f5b/3' and 
dom(a) — dom(&) and dom(a) u, then obs„(s • aa) = obs„(s • a). 

Note that the situation here is asymmetric in the following sense: In the 
example given in Figure [5] the initial state and the state h need to be considered 
"equivalent" by any unwinding-like characterization. However, performing the 
action h in the initial state must not leave the equivalence class, while performing 
it in the state H may. Therefore, it is not surprising that instead of an equivalence 
relation (which is in particular symmetric) , our characterization of dotP-secure 
systems uses a directed relation. 

For every agent u and v, the properties that such a relation should satisfy 
are for every s,t d S and a £ A: 

OC'^°^P: If s then obs„(s) = obs„(i). 

gQdotp. If s i and dom(a) ^ v or dom(a) — v and v >At u, then s ■ a t ■ a, 
LR'^°*P: If dom(a) = w and V >/^s u, then s s • a. 

It is also possible to characterize dotP-security by a sources-based definition 
closer to case of intransitive noninterference: This highlights that downgrading 
over time already features some aspects of the intransitive case, which we will 
study in detail in Section [5j 

Definition 4.2. For ueD, sES,aEA and a G A* , we define 
dotsources(e, u, s) = {u} and, 

I {dom(a)} U dotsourcesfa, M, s • a) j/dom(a)^sU 
dotsources(aa, u, s) = < 

I dotsources(ck, u,s ■ a) otherwise . 

Both, the unwinding relations and the sources-based definition characterizes 
dotP-security: 

Theorem 4.3. Let M be a system with a policy {>—^s)s<£S- Then the following 
properties are equivalent: 

1. M is dotP-secure. 

2. For every two agents u,v £ D there exists a relation that satisfies OCf°*^^ , 
SC^^'P and LR'^°*P. 

3. For all u € D , a € A, s €z S , a £ A* : //dom(a) ^ dotsources(aa, u, s), then 
obs„(s • aa) = ohSu{s ■ a). 

The characterization with an unwinding implies that deciding whether a sys- 
tem is dotP-secure with respect to a given policy can be done in nondeterministic 
logarithmic space. 

A purge-based characterization of dotP-security can be given analogously. 
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5 Intransitive Case 

5.1 Definition of dIP-security 

We now consider tiie fully intransitive case, where whenever an agent performs 
an action, he transmits information about the actions he has performed himself 
as well as information about actions by other agents that was previously trans- 
mitted to him. The definition follows a similar pattern as that of IP-security: If 
the performance of an action sequence aa starting in a state s does not trans- 
mit the action a (possibly via several intermediate steps) to the agent u, then 
u should not be able to decude from his observations whether a was performed. 
To formalize this, we use the straight-forward adaption of Rushby's sources- 
definition to the dynamic case (see also ILes06j ) : 

Definition 5.1. Let M be a system with policy {^s)ses- For a state s Cz S, a 
sequence a G A*, and an agent u, we define d.isources(e, u, s) = {u\, and 

disources(aa, u, s) — 



An action a is transmitted to an agent u in the action sequence aa starting in 
the state s if dom(a) g disources(aQ!, w, s). An alternate view of the definition 
is to consider the sets of agents that "know" whether the action a has been 
performed in state s: Initially, this is only the set of agents v with dom(a) v. 
The knowledge is spread by every action performed by an agent who is "in the 
know:" If an action h is performed in a later state i, and dom(6) already knows 
that the action a was performed, then all agents v with dom(6) >^t v obtain this 
information when h is performed. Following the discussion above, we obtain the 
following natural definition of security: 

Definition 5.2. Let M be a system with a policy (^s)ses- We say that M is 
dIP-secure, if for all states s, all actions a Cz A, and all sequences a d A* , with 
doin(a) ^ disources(aQ!, M, s), we have obs„(s • aa) = obs„(s • a). 

The definition formalizes the above arguments: If, on the path aa, the action 
a is not transmitted to tt, then the question whether a was performed or not 
should not change u's observation: The runs aa and a, starting in the state s, 
should be indistinguishable for u. 

Consider the earlier example in Figure[2] As argued before, the system should 
be regarded as insecure. This remains true for our intransitive notion of security: 
Since A must not interfere with any other agent in any state of the system, we 
have dom(a) ^ disources(aw, i?, sq)- Since we have obs/j(so- aw) ^ obs;j(so -w), 
the system is insecure. 
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We will now consider two alternative definitions of intransitive noninterfer- 
ence in the dynamic case, the first one based on a purge-like function and the 
second one using a natural unwinding condition. We will then see that all of 
these approaches lead to the same definition of security, which strengthens our 
belief that dIP-security is indeed a natural definition of dynamic intransitive 
noninterference . 



5.2 A purge-based definition of dIP-security 

Similarly to our definition for transitive systems, dIP-security can be character- 
ized by a purge-like function as well. There is, however, a subtle but important 
point that has to be considered, which we discuss after giving the formal defini- 
tion. 

Definition 5.3. Let M be a system with a policy {^s)seS- For a state s, a 
sequence a G A* , and an agent u, we define dipurge(e, u, s) — e, and 



dipurge(aa, u, s) 



{a dipurge(a, u,s ■ a), if dom(a) £ disources(aa, u, s) 
dipurge(a, u, s), otherwise. 



The crucial point is that in the case where a is not visible for the agent u, we 
define dipurge(aQ;, u, s) as dipurge(a, u, s) instead of the more intuitive choice 
dipurge(Q!, u, s ■ a), on which the security definition in |Les06j is based. 

We briefly explain the reasoning behind this choice. Assume that we work 
with the more intuitive choice of the purge-function as outlined above, and 
consider the action sequence aw, performed from the initial state in the system 
given in Figure [2j Since the action a is clearly not transmitted to the agent i?, 
it is removed from the trace, and the result of the purge function would be the 
same as purging the sequence w starting in the lower left state. However, in this 
state, the action w is invisible for R, hence the purge-function would remove it, 
and thus purging the sequence aw for agent R results in the empty sequence. 
On the other hand, if we consider the sequence w, again starting in the initial 
state, then the w is not removed, since here w is directly visible for R. It hence 
follows that aw and w do not lead to the same purged trace. Hence a security 
definition based on such a purge-function does not require aw and w to lead to 
observationally equivalent states. This is the reason why, as mentioned earlier, 
the system in Figure[2]is considered secure in the security definition from |Les06| . 

However, a natural definition of security needs to require aw and w to lead 
to the same observation for agent R, as the event a may not be transmitted to 
R under any circumstances. 



In Section 5.4 we will show that dipurge yields a natural equivalent charac- 
terization of dIP-security, which further supports the above arguments for our 
definition of the dipurge-function. 
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5.3 Unwindings for dIP-security 



We now present an intransitive dynamic security definition based on unwinding 
relations. As mentioned in our discussion of downgrading over time, dynamic 
intransitive security cannot easily be characterized with symmetric unwindings. 
Hence our characterization again uses a directed relation. In fact, we need a 
relation for every set of agents D' C D. We require the following conditions: 

Definition 5.4. Let M he a system with agents D and state set S , let {^s)seS 
be a policy for M . A dynamic intransitive unwinding for AI with respect to 
(^s)sgS consists of a family of relations {'^d')d'cd, where ^d'Q S x S for all 
D' C D such that the following conditions are satisfied: 

dOC^^^ (output consistency): If s ^jji t and u E D' , then obSu(s) = obSu(t), 
jjgQdiP ^g^gp consistency): If s '^d" t, then s ■ b '^d" t ■ b, where D" — D' if 

dom(6) £ D' , and D" ^ D' f] {u \ dom(6) u} otherwise, 
dLR'^^P (local respect): s <{ueD \ dom(a)/*,«} s ■ a. 

Intuitively, s ^jji t expresses that there is a common reason for all agents in 
D" to have the same observations in s as in i.e., if there is a state s, an action a 
and a sequence a, such that s = s-aa, t = s-a, and dom(a) ^ disources(aa, u, s) 
for all agents u G D' . 



5.4 Characterizations of dIP-security 

As already informally stated above, we now show that the three characteriza- 
tions of dynamic intransitive noninterference suggested above are equivalent: 



Our security definition from Section 5.1 can be equivalently phrased using a 



purge-based definition as well as using our unwinding characterization. 

Theorem 5.5. Let M be a system and let {>—^s)seS be a policy. Then the fol- 
lowing are equivalent: 

1. M is dIP-secure with respect to {'^s)ses, 

2. for all agents u, all states s, and all action sequences a and /3 with 
dipurge(a, u, s) — dipurge(/3, u, s), we have that obs„(s • a) — obSu(s • /3), 

3. there is a dynamic intransitive unwinding for M with respect to (^s)seS- 



5.5 Complexity of verifying dIP-security 

In contrast to unwindings for the transitive case, the unwinding characterization 
of dIP-security does not lead to a polynomial-time algorithm to verify security 
of a system: The number of relations needed to consider is exponential in the 
number of agents in the system. It turns out that (unless P = NP), we cannot 
do significantly better: The verification problem is in fact NP-complete. 

Theorem 5.6. Determining whether a given system is dIP-secure with respect 
to a given policy is NF-complete. 
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In particular, unless P ~ NP, dIP-security cannot be characterized with a 
polynomial number of unwinding relations, each of which can be computed in 
polynomial time. However, the above unwinding characterization shows that the 
complexity stems from the number of agents in the system, as opposed to the 
number of states. Since the number of agents is often significantly smaller than 
the number of states, efficient verification of security for many realistic systems 
is still possible. Formally, applying a standard dynamic programming approach 
to the unwinding conditions given in Theorem |5 . 5| yields the following result: 

Corollary 5.7. — Determining whether a given system is dIP-secure with re- 
spect to a given policy is fixed-parameter-tractable with the number of agents 
as parameter. 

— For systems where the number of agents is logarithmic in the number of 
states, deciding whether a system satisfies dIP-security can be performed in 
polynomial time. 

The concept of fixed-parameter tractability was introduced to study situ- 
ations as above, where the worst-case complexity of an NP-complete problem 
depends on a parameter that will be small for practically relevant instances. For 
background on fixed-parameter tractability, we refer the reader to |DF99j . 



5.6 Relationship to other notions of security 

As mentioned earlier, the only definition of dynamic non-interference in a state- 
based setting that we are aware of is given in |Les06| . With the notation in- 
troduced in Section |5.1[ we can now formally state their security definition: 
Consider the function dipurge' which is defined in the same way as dipurge, 
except that in the case that dom(a) ^ disources(aa, u, s), dipurge' is defined as 
dipurge'(aa, u, s) = dipurge'(a, u, s-a). Now a system is secure according to the 
definition from |Les06| if for all agents u and all action sequences a and j3 with 
dipurge'(a, u, sq) = dipurge'(/3, u, sq), we have that obs„(so • a) = obs,i(so • P). 

One can show that for uniform policies, our definition and the one given 
in [Les06| also coincide in the intransitive case. For irredundant policies, this is 
not generally true. 

For static systems, our intransitive purge function as defined above and the 



function used to define IP-security in |HY87j (cp. Section 2.2) are identical. 



Therefore the above Theorem 5.5 and the fact that dipurge is idempotent im- 
mediately imply that IP-security and dIP-security are equivalent in the static 
case. 

Proposition 5.8. Let M be a system, and let {^s)ses be a static policy. Then 
M is IP-secure if and only if M is dIP-secure with respect to {''^s)ses- 

As expected, the situation is considerably more complex for dynamic policies 
than in the static scenario. For example, it is well-known and easy to see that 
for static, transitive policies, IP-security and P-security coincide. The analogous 
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result does not hold in the dynamic case. Consider the example given in Fig- 
ure [5] Here every local policy is transitive, but there are still intransitive effects 
resulting from the dynamic change of the policy. The system is not dP-secure, 
but it dIP-secure. The class of systems in which such effects do not occur are 
those where, informally, "every edge in the policy that we could possible use in 
the future is already there in the present state:" 

Proposition 5.9. Let M be a system with policy {>—^s)seS such that for all 
states s, all actions a d A, all sequences a € A* , and all agents u with dom(a) G 
disources(aa, M, s), we have dom(a) U- Then M is dIP-secure with respect 
to (^s)ses if and only if M is dP-secure with respect to {>^s)ses- 



5.7 Consistent Policies and Redundant Edges 
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Fig. 6. System with redundant edge 



In our discussion of dP-security, 
we observed that a policy may 
contain edges that can never 
be used. Clearly, this issue also 
occurs in the intransitive case; 
however the solution is not as 
simple: In the transitive case, 
it was sufficient to "remove any 
incoming edge for u that u 
does not know about," which is 
the informal statement of Theo- 
rem [X5] In the intransitive case, 
this is clearly not true, as is evi- 
dent from the example in Fig- 
ure [6j When the system is in 

state hi, then agent L does not know that an edge Z? ^ L is present, since 
for L states e and hi are indistinguishable — but clearly, the edge cannot be re- 
moved from the policy without affecting security. However, unusable edges still 
exist in the intransitive case. We call such edges redundant. 

To formalize this notion, it is helpful to consider a different view of our 
security definition. Note that our security definition essentially consists in es- 
tablishing, for each agent u an equivalence relation (which we will call ~„) on 
states, where the security requirement is that ^i,-equivalent states have identical 
observations (for the agent u). It is useful to formalize this in the obvious way: 

Definition 5.10. For a system M, policy {'^s)seSj o,i^d, agent u, let be 
the smallest equivalence relation on the states of M such that for all s, a, a, if 
dom(a) ^ disources(aa, m, s), then s ■ aa ~„ s ■ a. 

Clearly, a system is dIP-secure if and only if for all si and S2 with si ~„ S2, 
we have that obs„(si) = obStj(s2)- This equivalence relation allows us to easily 
formalize when an edge in the policy is redundant, i.e., can be removed without 
affecting security: 
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Definition 5.11. Let M he a system with policy (>— »s)ses- Let e be an edge in 
(^s)seSj 'w^'^ (^s)ses ^6 the policy obtained from {'^s)g^g by removing e. 
Then e is redundant, ij for all s,u,a,a such that dom(a) G disources(aa, u, s) 
when using the policy (^s)sgs, and dom(a) ^ disources(aa, u, s) when using 
policy {>^'g)s<£S, we have s ■ aa s ■ a (with respect to the original policy 
(^s)sesj- ^ policy is consistent if it does not contain any redundant edge. 

We show below that this definition exactly captures the edges that are in- 
tuitively redundant in a policy. We stress that the question whether an edge 
is redundant does not depend on the observation function of the system, but 
only on the policy and the system's transition function, whereas a definition of 
security is concerned with comparing observations in different states. 

Consistency means that there is no edge in the policy which is contradicted 
by other aspects of the policy; we can again interpret this property in the dual 
way: The set of information flows forbidden by a consistent policy is closed 
under logical deduction — every edge that can be shown to represent a forbidden 
information flow is absent in the policy. This is also a property of uniform policies 
in the transitive case, in fact, in the transitive case, uniform and consistent 
policies coincide (except for degenerated cases) . We will later see that this is not 
true in the transitive case. 

As an example for a secure system with a policy that is inconsistent, consider 
the system given in Figure|6] It can be shown that the system is secure (the agent 
L knows whether in the initial state, hi or /12 was performed, as soon as this 
information is transmitted by agent D). We now show that the edge H L is 
redundant. To see this, consider what happens if we remove this edge from the 
policy. The only states that L is allowed to distinguish with the edge, but not 
without, are combinations of the states {/ii, /ii/ii, However, we observe 

that 

— h2hi hi, since dom(/i2) ^ disources(/i2ft-i, e), 

— h2hihi ~i /i2^i) since dom(ft,i) ^ disources(/ii, L, /12/11), 

— h2hihi ~i hihi, since dom(ft,2) ^ disources(ft,2^i^i, ^, e), 

— /i2ft.i/i2 ^2^1, since dom(ft,2) ^ disources(ft,2, ^2^1)) 

— /i2ft.i/i2 hih2, since dom(ft,2) ^ disources(ft,2/ii/i2, -^7 e)- 

Symmetry and transitivity of imply hi /i2^i '^l /i2^i^i '^l hihi 

h2hih2 ~L /11/12, 

hence all three {hi,hihi,hih2} are ~L-equivalent even with respect to the 
original policy. Hence the edge connective H L is indeed redundant (and 
it follows from this discussion that the system would indeed be insecure if hi, 
hihi, and hih2 would not all have the same observations). 

We now show that redundant edges are exactly those that can be removed 
from a policy without affecting security — and thus our definition of irredundant 
edges captures the intuitive notion of an edge being redundant. It follows that 
each dynamic policy is equivalent to a consistent policy, which can be computed 
by removing every redundant edge. 

Theorem 5.12. Let M be a system with a policy {y^s)ses- 
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Let {^s)ses be obtained from {>—*s)seS by removing a set of edges which are 
redundant. Then M is dIP-secure with respect to {>~fs)ses if and only if M 
is dIP-secure with respect to {>~^g)seS- 

Let (^'j,)sg5 be obtained from (^s)seS by removing an edge that is not 
redundant. Then there exists a system N such that N differs from M only 
in the observation function and that is dIP-secure with respect to (^s)s6S; 
but not dIP-secure with respect to {>^'s)ses- 

Let (^s)ses be obtained from {^s)seS by removing the set of all edges that 
are redundant. Then {^g)ses consistent. 



Theorem 5.12 states that for every policy {^s)s£Si a consistent policy 
)sgs that is equivalent to (^s)sgs can be obtained from (>-^s)sg5 by removing all 
redundant edges. The proof also implies that the order in which redundant edges 
are removed is irrelevant in the sense that any sequential, exhaustive removal 
of redundant edges will always result in the same policy. We mention that, in 
contrast to the transitive case, a consistent policy is not necessarily uniform (as 
an example, consider the system in Figure [5j which can also be studied with 
respect to our intransitive security definition). 



5.8 Sound Unwinding Conditions and Uniform Intransitive Policies 

In the above Section |5.3[ we obtained an unwinding characterization of dlP- 
security, which however does not yield a polynomial-time algorithm for security 
verification if the number of agents is unbounded. Since the problem is NP- 
complete, such an algorithm — and hence a "small" unwinding — is unlikely to 
exist. However, we can define unwinding conditions that are sound for dlP- 
security, and are sound and complete for a natural subclass of systems with 
associated policies, namely the subclass of systems in which every agent knows 
the set of agents who may currently interfere with him. Formally, we define this 
property as follows — note that this definition is very similar to the uniformity 
condition for the transitive case, the only difference is the notion of states that 
must be indistinguishable. 

Definition 5.13. A policy for a system is intransitively uniform, if for all 
agents u, all actions a, all states s and all sequences a with dom(a) ^ 
disources(aQ;, M, s), we have up^c< = "Pq- 

The definition captures the above intuition: If an agent u must not distinguish 
two states by the security definition, then the set of agents that may interfere 
with u must be identical in these two states. We note that while in the transitive 
case, uniform and consistent policies coincide except for degenerated cases, this 
is not true for intransitive noninterference (in fact, neither implication holds). 

Besides being a natural requirement that is often met in a concrete system, 
the class of intransitively uniform policies has two attractive features: First, if we 
have a uniform policy, then checking whether the system satisfies dIP-security 
can be performed in polynomial time. Second, checking whether a policy for a 
given system is intransitively uniform can be done in polynomial time. Both 
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of these results follow from characterizations of the respective conditions with 
unwinding relations, which in fact are very similar. In the uniform case, many 
of the subtle issues with dynamic policies do not occur anymore; as an example, 
dIP-security and the security definition from |Les06] coincide for uniform policies. 
However, requiring policies to be uniform is a severe restriction (note that the 
system shown in Figure [5] requires a non- uniform policy). 

We now define the properties of the unwindings that we will be interested in: 

Definition 5.14. A uniform dynamic intransitive unwinding for a system M 
with respect to a policy (^s)ses a family of equivalence relations ^^'^ for 
each choice of states s and agents v and u. We consider the following unwinding 
properties: 

uOC^^^ (output consistency): If s t, then obs„(s) = obs„(t) 
^p(^dip ^pQiiQy consistency): If s ^f^"" t, then — u*["' , 
^gQdiP ^gi^p consistency): If s t and a G A with v >/^s doni(a), then s-a 
t ■ a. 

uLR'^^^ (local respect): //dom(a) >A5 u, then s § . 

Both intransitive uniformity and dIP-security (in the case of a uniform policy) 
are characterized with almost exactly the same unwinding-the only difference is 
that for uniformity, we require the condition uPC^'^, since here we are concerned 
with having the same policies in certain states, while for security, we require the 
condition uOC*^^^, as here we are naturally interested in observations. 

Theorem 5.15. Let M be a system with a policy (^s)ses- 

1. The policy {>-^s)seS is intransitively uniform if and only if there is a uniform 
dynamic intransitive unwinding for M and {>^s)s£S that satisfies uPC^^^, 
uSC^iP, anrf uLR'iiP. 

2. (a) If M is dIP-secure with respect to {>-^s)seS! then there is a uniform dy- 

namic intransitive unwinding for AI and {^s)ses that satisfies uOC^^^, 
uSC^iP, anduLR'iiP. 
(b) If {>—fs)seS intransitively uniform and there is a uniform dynamic in- 
transitive unwinding for M and {^s)ses that satisfies uOC^^^, uSC^^^, 
and uLR'^^^, then M is dIP-secure with respect to (^s)ses- 

Due to Theorem |5.6[ we cannot hope that the above conditions completely 
characterize secure systems, and indeed the system in Figures [5] and Figure |6] 
are examples for system that are dIP-secure but not intransitively uniform, and 
thus its security cannot be shown with a uniform dynamic intransitive unwind- 
ing. Theorem |5. 15| immediately yields polynomial-time algorithms to verify the 
respective conditions via a standard dynamic programming approach: 

Corollary 5.16. — Verifying whether a policy is intransitively uniform can be 
performed in nondeterministic logarithmic space. 
— For systems with intransitively uniform policies, verifying whether a system 
is dIP-secure can be performed in nondeterministic logarithmic space. 
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In particular, it can be tested in polynomial time whether a system satis- 
fies intransitive uniformity of the policy and dIP-security simultaneously. The 
above shows that the complexity of dynamic noninterference comes from the 
combination of dynamic policies that do not allow agents to "see" their allowed 
sources of information with an intransitive security definition. We note that in 
the transitive case, this interplay does not arise, since there a system necessarily 
has to allow principals to "see" their incoming edges — at least those edges that 
will be used for information flow (see Theorem 3.5). 



5.9 An application to the static case 

Recall that in the static case, our notion of noninterference security is equivalent 
to IP-security as defined in |HY87| . For IP-security, Rushby gave unwinding 
conditions that are sufficient, but not necessary. This left open the question 
whether there is an unwinding condition that exactly characterizes IP-security. 
We can answer this question positively: Clearly, a static policy is intransitively 
uniform. Hence our results immediately yield a characterization of IP-security 
with the above unwinding conditions, and from these, an algorithm verifying IP- 
security in nondeterministic logarithmic space can be obtained in the straight- 
forward manner. 



Corollary 5.17. 

1. A system with a static intransitive policy is IP-secure if and only if it has a 
dynamic unwinding satisfying uOC*^^^, uSC^^^, and uLR*^^^. 

2. Static IP-security can be verified in nondeterministic logarithmic space. 



6 Conclusion 



We have shown that dynamic noninterference is considerably different than static 
noninterference: An allowed interference in one state may contradict a forbidden 
interference in another state. Our new definitions of transitive and intransi- 
tive dynamic noninterference address and correct these issues. Our purge- and 
unwinding-based characterizations show that our definitions are natural, and di- 
rectly lead to our complexity results. In this paper, we studied generalizations 
of IP-security to the dynamic setting. An interesting open question is to study a 
TA-security in a dynamic setting. Preliminary results indicate that such a gener- 
alization needs to use a very different approach from the one used in the current 
paper. 



A Additional Results 



In this Section we present and prove additional results which were informally 
mentioned in the main paper. 
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A.l Initial-State verification suffices for uniform policies 

One noteworthy difference to tlie static case is that it is necessary to evaluate the 
dpurge-function in every state, and not only in the initial state: The example in 
Figure [7] is secure if we only consider traces starting in the initial state, but can 
easily be seen to not be dP-secure. 




However, in the case of uniform policies, it suffices to consider traces starting 
in the initial state, as we now show. 

Theorem A.l. Let M he a system with uniform policies. Then the system 
M is dP-secure iff for all u £ D and all a G A*: obs„(so ■ 01) = obs.tj(so ■ 
dpurge(a,u. So))- 

Proof. Assume that M is a secure system. Then from sq • a sq ■ 

dpurge(a, u, sq) follows from the output consistency that obsti(so-ck) = obst((so- 
dpurge(a,u. So))- 

For the other direction of the proof, we consider a, /3 e A* with 
dpurge(a, u, s) = dpurge(/3, w, s). Then it exists j A* with s = sq - 7- It 
follows that So - 7 ~u dpurge(7, u, sq). This gives 

obs„(s - a) = obs„(so • 7") 

= obs„(so - dpurge(7a, u, sq)) 

= obs„(so - dpurge(7, u, so)dpurge(a, m, so • dpurge(7, u, sq))) 
= obs„(so - dpurge(7, u, so)dpurge(a, u, So • 7)) 
= obs„(so - dpurge(7, u, So)dpurge(^, u, Sq ■ 7)) 
= obs„(so • /?) . 
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A. 2 Some properties of the purge function 

Here we show that our purge function in the transitive case behaves very natu- 
rally in the case of uniform policies. 

Lemma A. 2. Let M be a system. For every u € D, s,t € S and a,/3 € A* , we 
have 

1. dpurge(dpurge(Q!, u, s),u, s) = dpurge(a, u, s), 

2. dpurge(a/3, m, s) = dpurge(Q:, u, s)dpurge(/3, m, s ■ dpurge(Q!, u, s)), 

3. if M has a uniform policy and if ~„ is an unwinding that satisfies LR'^^ and 
SC^^ and if s t, then s • a t • dpurge(a, u, t) and dpurge(a, u, s) = 
dpurge(a,u, f). 

Proof. 1. We show this by an induction on the length of a. Since the base case 
is obvious, we proceed with the inductive step. We consider aa with a € A 
and a G A* and assume that the claim holds for a. In the following two 
cases, we get 

(a) If doin(a) u, we have 

dpurge(dpurge(aQ;, u, s), u, s) = dpurge(adpurge(a, u, s ■ a), us) 

= adpurge(dpurge(Q!, u, s ■ a),u, s ■ a) 

adpurge(a, u,s-a) 
= dpurge(aQ:, u, s) . 

(b) If doin(a) >As u, we have 

dpurge(dpurge(aa, u, s), u, s) = dpurge(dpurge(Q!, u, s),u, s) 

dpurge(Q;, u, s) . 

2. We show this claim by an induction on the length of a and consider again 

aa. We get the following two cases 

(a) If doin(a) u, we have 

dpurge(oa/3, u, s) = adpurge(Q!/3, u,s-a) 

adpurge(Q!, u, s ■ a)dpurge(/3, u, s ■ adpurge(Q;, u, s ■ 
= dpurge(aa, u, s)dpurge(/3, u, s ■ dpurge(aa, u, s)) . 

(b) If doin(a) >As u, we have 

dpnrge{aap , u, s) = dpurge(Q!/3, w, s) 

dpurge(a, u, s)dpurge(/3, u, s ■ dpurge(Q;, ?i, s)) 
dpurge(aQ;, u, s)dpurge(/3, u, s ■ dpurge(aQ;, u, s)) . 

3. This can be shown by an induction on the length of a. 

□ 
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A. 3 Equivalence of intransitive Security Definitions for Uniform 
Policies 

We now show that in case of an intransitively uniform poUcy a system is secure 
with respect to the definition of |Les06j if and only if it is dIP-secure. 

We first show the following Lemma, which intuitively says that if the first 
action of aa is not transmitted to u on the path aa, then the same actions on 
the remaining path a are transmitted to u when evaluating a from the state 
s or from the state s • a in the case of uniform policies. This is the key reason 
why for uniform policies, the differnce between Leslie's function dipurge' and 
our dipurge is irrelevant. 

Lemma A. 3. Let M he a system with an intransitively uniform policy {>^s)seS- 
Let dom(a) ^ disources(aQ;, m, s), where a = /36/?'. Then 

dom(6) G disources(6/3', u, s ■ jS) iff dom(6) G disources(5/3', u, s ■ aj3). 

Proof. Assume this is not the case, and let 5/3' be a minimal counter- 
example. First assume that dom(6) G disources(5/3', m, s • a/3) and dom(6) ^ 
disources(&/3', u, s ■ (3). Then there is some dom(c) G disources(/3', u, s ■ aP ■ h) 
with dom(6) >— >s.a;3 dom(c), and due to minimality of 6/3' it follows that dom(c) G 
disources(/3', u, s • j3h). Since dom(5) ^ disources(6/3', w, s • /3), it thus follows 
that dom(6) >As-^ dom(c). This is a contradiction to the intransitive uniformity of 
(^s)sgSi since dom(a) ^ disources(a/3, dom(c), s), and hence s ■ a/3 ^dom(c) s • /3. 

The second case is essentially identical: Assume that dom(5) G 
disources(6/3', u, s • /3) and dom(6) ^ disources(6/3', m, s • a/3). Then there is 
some dom(c) G disources(/3', m, s • /36) with dom(5) ^s-p dom(c). Due to the 
minimality of 6/3', it follows that dom(c) G disources(/3', w, s • a/36), hence 
doin(6) ^s-ap dom(c). Since s ■ a/3 ^dom(c) s • /? due to the above, we have a 
contradiction to the uniformity of {;^s)ses- D 

From the above Lemma, we can now easily show that for uniform policies, 
dIP-security and security in the sense of jLes06| coincide: 

Theorem A. 4. Let M he a system with an intransitively uniform dynamic pol- 
icy {y-^s)seS- Then M is dIP-secure if and only if M is secure with respect to 
the definition in ]Les06^ 

Proof. Due to Theorem |5.5[ it suffices to show that in the case of a uniform 
policy, the functions dipurge and dipurge' coincide. Assume indirectly that 
this is not the case, and let a be a minimal sequence such that there exists a 
state s and an agent u with dipurge(a, u, s) ^ dipurge'(Q!, u, s). Clearly a 7^ e, 
hence assume that a — aa' . 

First assume that dom(a) G disources(aQ;', u, s). In this case, we have (by 
definition and minimality of a), that 

dipurge(aa', u, s) = adipurge(a', u, s • a) 

= dipurge' (a', m, s • a) = dipurge (aa', w, s). 
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which is a contradiction to the choice of a. 

Hence assume that dom(a) ^ disources(aa', u, s). By definition, it fol- 
lows that dipurge (aa'j u, s) — dipurge(Q;', u, s) and dipurge'(aa', m, s) = 
dipurge'(a', u, s • a) — dipurge(a', w, s • a) (the final equaility is due to the 
minimality of a). 

It hence suffices to show that dipurge(a', m, s) = dipurge(Q:', u, s • a). This 
easily follows by induction on Lemma A. 3 The same actions of a' are transmitted 
to u when evaluating a' starting in the state s and in s • a. □ 



A. 4 Example why symmetric unwindigs do not work in the 
intransitive case 




Fig. 8. System 



To see why a symmetric unwinding will not work, consider the system in 
Figure |8] For ease of notation, we will identify states with the action sequences 
that lead to them starting from the initial state, e.g., with hdd, we denote the 
right-most state in the upper branch of the system. 

First note that the system is insecure: The states hdd and dd have different 
observation functions, however on the path hdd, the action h remains invisible 
for L (formally; dom(/i) ^ disources(/i(i(i, L, e). To characterize this with an un- 
winding, one could proceed as follows: By the same argument as above, the states 
hd and d must be "equivalent," as dom(/i) ^ disources(ft,(i, u, e). However, if we 
now perform an additional c?-action (to allow establishing equivalence between 
hdd and dd), we have the following problem: In the state d, there is an allowed 
interference D ^ L (and in both branches of the system, D "knows" whether 
H was performed in the initial state). However, the presence of this edge in the 
policy cannot "transmit" the action h on the path dd, since the /i-action simply 
was not performed on that path. However, if the interference was allowed in the 
state hd, then clearly, the system would be secure. Therefore, even though we 
would like to call the states hd and d "equivalent," this notion is not symmetric, 
as the presence of an interference D >—f L in one state has different consequences 
than the presence of such an edge in the other. This leads us to the following 
notion of an "unwinding" — here, whenever s ^jj' t, the state s should be seen 
as the state on the branch sq • aa, whereas t is a state on the branch sq • a. 



B Proofs 



In this section we give proofs for the results claimed in the paper. 
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B. 1 Proof of Theorem [331 



Proof. First, we will show thatjl] implies [3j. Let M he a dP-secure system. Let 
u E D. Define for every s,t E S: 

s ~„ t iff for all a E A* : obs„(s • a) ~ obs„(f • a) . 

The condition OC^^ is satisfied if a — e. For the condition SC'^'', we consider 
s,t E S with s t and let a E A. Then for all a E A* , we have s ■ a ~u t ■ a and 
also s ■ aa t ■ ^ck- Therefore, s • a ^„ t ■ a. For the conditon LR'^^, we consider 
a E A and s E S with dom(a) >Ai5 u. Since s is a reachable state, it exists a E A* 
with s = So • a. The Definiton of dP-security states, that for every P E A* the 
equality of obs„(s • a/3) and obs„(s • /3) holds. Therefore, s ~„ s ■ a. 

We assume that [3| holds and will proof [2j. Let M be a dP-secure system. 
Let u e D. Then it exists an unwinding that satisfies LR'^p, SC^p and OC^p. 
We will show by an induction on the combined length of a and j3, that for 
every state s E S: dpurge(a, u, s) = dpurge(/3, m, s) implies s ■ a s ■ /3. The 
base case with a = /? = e is clear. For the inductive step consider a and /? 
with dpurge(a, w, s) = dpurge(/3, u, s) for some state s. We have to consider two 
cases: 

Case 1: a = aa' for some a E A, a' E A* and dom(a) >/->s u. Then we have 
dpurge(aQ!', u, s) = dpurge(a', m, s). From the property LR'^p follows 
that s ~„ s ■ a and from LR'^p follows s ■ a' s ■ aa' . Applying the 
induction hypothesis gives s ■ a' s ■ /3 which can be combined to 
s ■ a s ■ 13. 

Case 2: a = aa' and /3 — hl3' with dom(a) >-+s u and dom(fe) u. From 

a dpurge(Q;', u,s ■ a) = dpurge(aa', u, s) 
= dpurge(a, u, s) 
= dpurge(/3,u, s) 
= b dpurge(/3', u, s ■ b) 

follows that a = b and dpurge(a', u, s-a) = dpurge(/3', u, s-a). Applying 
the induction hypothesis gives s ■ aa' ^„ s ■ b/3' . 

In both cases follows from OC"^p that obs„(s • a) = obs„(s • /3). 

For proofing the missing implication we assume that[T] does not hold. There- 
fore, it exists ueD, seS, uEA and a E A* with dom(a) >/^s u and 
obs„(s • aa) ^ obSu(s • a). Therefore, dpurge„(aQ;, m, s) = dpurge^(Q;, m, s) and 
obs„(s • aa) ^ obs„(s • a). □ 

B.2 Proof of Theorem [sTsl 

Proof. Let M be a dP-secure system with repect to the policy (^s)sgS and 
let uE D. Then there is an unwinding that satisfies OC^p, SC^p and LR'^p 
(with respect to the policy (^s)sgs). Let be be the a smallest equivalence 
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relation that satisfies SC'^'^ and LR'^^ with respect to the policy {y^'g)seS- We 
will show that C Let s,t €z S with s t and t — s ■ a form some a ^ A 
with dom(a) >A'j, u. Therefore it exists s' € S with s' ^„ s and dom(a) >As' u. 
From s' ^„ s' • a and s' • a ^„ s • a follows s ^„ 

The other direction of the proof follows directly from the fact, that the policy 
(^s)ses is at least as restrictive as the pohcy {^s)ses- O 

B.3 Proof of Theorem [431 

Proof. First, we proof the implication from [T] to[2j. Let M be a dotP-secure 
system. Let be u, w e D. We say a string a e ^* has the property Q in a state 
t e S" iff 

it exists no b G A, /?, /?' S A* with a = PbfS' , v = dom(6) and v >^t-i3 u • (*) 

We define a relation for every s, t € S* as 

(s, i) e iff it holds obStj(s • a) — obs,((t • a) 

for all a <E A* satisfying the property Q in t . 

We show that this relation satisfies the five properties OC'^"*^, SC'^°'p and 
LR'^°*P. Let s £ S and a e A with dom(a) = v and v >/^s u. Let a e A* 
that satisfies the property Q in s • a. Since the system is dotP-secure, we have 
obs„(s • aa) = obs„(s • a). Therefore, satisfies LR'^°*p. Let {s,t) £ ^'^^ and 
assume that {s ■ a,t- a) ^ for some a d A with dom(a) =/: v or dom(a) = v and 
dom(a) >At u. Therefore, it exists a & A* that satisfies the property Q in < • a 
and obs„(s • aa) ^ obs„(i • aa). But also aa satisfies Q in t. This contradicts 
that (s,i) e ;:<^. For the last property 00"^°*^ we choose a = e. 

For showing that [2j implies [l], we assume that M is an insecure system. 
Therefore, it exists u€D,aCzA, aCzA* such that dom(a) >As u, a satisfies the 
property Q in s • a and obs„(s • aa) ^ obs„(s • a). We set v — dom(a) and let 

a relation that satiesfies the properties LR'^°*p and SC'^"*^. From property 
j^pj^dotp fQjjQ.^yg g . g^j^. Since a satisfies the property Q, the property 
g^dotp g-^g ^YiQ^ (s • a, s • aa) Therefore, the relation does not satisfy 

the property OC'^°*p. 

For proofing the direction fromjl] to [3], we consider a dotP-secure system 
M. We assume that it exists u D, a E A, a G A* and s G S such that 
dom(a) ^ dotsources(aa, u, s) and obSi,(s • aa) ^ obs„(s • a) and the length of 
a is minimal for all choices of u, s, a and a. 

Assume it exists b G A, /3, /3' G A* with a = /3bp' and dom(6) = dom(a) and 
dom(a) >— >s.o^ u. Then it exists some set VCD with 

dotsources(a/3&/3', u, s) = V U dotsources(6/3', u, s ■ a/3) 

= V U {dom(a)} U dotsources(/3', u, s ■ a/Sb) . 

This contradicts the assumption that dom(a) ^ dotsources(aa, u, s). 

The missing direction from [3) to [l] is obvious. □ 
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B.4 Proof of Theorem [sTsl 



Proof. We first consider the dipurge-characterization and then the unwinding 
conditions. 

1. We first show that dIP-security imphes the dipurge-characterization. Hence 
indirectly assume that the system is dIP-secure, and indirectly assume that 
the dipurge-condition is not satisfied. Then there exists a state s, an agent 
u, and sequences a and j3 with dipurge(Q;, m, s) — dipurge(/3, u, s), and 
obSu(s • a) ohSu{s ■ /3). We choose a and /? such that |a| + |/3| is minimal 
among all such examples. Clearly, if both a and /3 start with an action that is 
transmitted to u, then this action must be the same: If a = aa' with dom(a) € 
disources(aa', M, s) and j3 — 5/3' with dom(6) G disources(6/3', u, s), then 
dipurge(Q!, w, s) starts with a, and dipurge(/3, m, s) starts with b. It thus 
follows that a ^ b, and hence we could use the state s' — s ■ a and the 
sequences a' and /3' as a counter-example, which contradicts the minimality 
of a and /?. Hence we can, without loss of generality, assume that a = 
aa' for some a with dom(a) ^ disources(aa', m, s). It thus follows that 
dipurge(Q;', u, s) = dipurge(a, u, s) — dipurge(/3, u, s). Since the system is 
secure, we also have obs„(s • a') — obs„(s • aa') — obs„(s • a) ^ obs„(s • /3), 
and hence we again obtain a contradiction to the minimality of a and /3 
(with choosing a' instead of a). 

We now show the converse, i.e., that the dipurge-characterization implies 
dIP-security. Hence assume that the system satisfies the dipurge-condition. 
To show interference security, let dom(a) ^ disources(aa, u, s) for some 
agent u and state s, we show that obs„(s • aa) = obStj(s • a). Note that 
since dom(a) ^ disources(aa, m, s), it follows that dipurge(aQ;, u, s) = 
dipurge(Q!, u, s). Hence from the prerequisites of the theorem it follows that 
obs„(s • aa) = ohSu(s ■ a) as required. 

2. We prove that the unwinding condition is also equivalent to dIP-security. 
First assume that there is a dynamic intransitive unwinding {^d')d'(id for 
M with respect to (^s)seS- We show that the system is dIP-secure. For this 
it suffices to show that if dom(a) ^ disources(aa, u, s), then s ■ aa s ■ a 
for some set D' with u G D' . For each prefix a' of a, let D^' be defined as 

Da' = {v dz D \ dom(a) ^ disources(aQ;', w, s)} . 

Clearly, if a' is a prefix of a", then D^" C D^'- Since u G D^, it suffices to 
show that s ■ aa' , s ■ a' for all prefixes a' of a. We show the claim by 
induction. For a' — e, the claim follows from dLR'^^^, since doin(a) >As u. 
Hence assume that a' = j3h for some sequence /3 and action b. By induction, 
we have that s ■ a/3 ^D/j s ■ /3, where I?^ contains all agents v with dom(a) ^ 
disources(a/3, u, s). Now let u G D^', it then also follows that u G D/j. 
Let D' be defined as in the condition dSC*^^. Since the condition implies 
5 ■ a/Sb s ■ (3b, it suffices to show that u G D' . Clearly this is the case if 
dom(6) G Djj, i.e., if Dp = D' . Hence assume this is not the case, by definition 
of Dp it then follows that dom(a) G disources(a/3, doni(6), s). Since doni(a) ^ 
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disources(a/3&, u, s), this implies that dom(6) >/^s-ap u, hence u d D' follows 
in this case as well. 

For the other direction, assume that the system is secure. We define s ^jj' t if 
there is a state s, an action a and a sequence a, such that s = s-aa, t = s-a, 
and for all u £ D' , we have doin(a) ^ disources(aa, u, s). We claim that this 
defines a dynamic intransitive unwinding for M with respect to {^s)seS- 
Since the system is dIP-secure, the condition dOC^^^is obviously satis- 
fied. The condition dLR'^^^ follows from the fact that if dom(a) >/^s u, then 
dom(a) ^ disources(a, M, s). It remains to show dSC^^^. Hence let s '^^jjr t, 
and let s, a and a be chosen with the above properties. Let b be an action, 
and let D" be the set resulting from applying dSC*^^. It remains to show 
that for each u € Z?", we have dom(a) ^ disources(aa6, u, s). First assume 
that dom(6) £ D' , it then follows from the defintion of that dom(a) ^ 
disources(aa, dom(6), s), and hence dom(a) ^ disources(aa5, u, s). On 
the other hand, if dom(&) ^ D' , then from u £ D" , we know that 
dom(fo) >f^s-aa and hence from dom(a) ^ disources(aQ;, u, s) (since 
u £ D') and disources(aa&, m, s) = disources(aQ:, m, s), it follows that 
dom(a) ^ disources(aQ;6, u, s) as required. 

□ 

B.5 Proof of Theorem K6\ 

Theorem B.l. Checking whether a system is not dIP-secure can be done in 
NP. 

Proof. The algorithm simply guesses the corresponding values of a, u, s, and 
a, and verifies that these satisfy obs„(s • aa) =/= obs„(s • a) and dom(a) ^ 
disources(aa, u, s) in the straight-forward way. To show that this gives an NP- 
algorithm, it suffices to show that the length of a can be bounded polynomially 
in the size of the system. We show that if the system is insecure, then a can be 
chosen with |a| < \S\^. 

To show this, let a be a path of minimal length satisfying the above. Let 
Fg and F^.a be the finite state machines obtained when starting the system in 
the states s and s ■ a, respectively, and let F ~ Fs x Fg.a, with initial state 
(s, s ■ a). Clearly, in F, we have {s, s ■ a) ■ a = {s ■ a, s ■ aa). If \a\ > \S\^, then a 
visits a state from F twice, i.e., a contains a nontrivial loop. Such a loop can be 
removed from a without changing the states that are reached. Clearly, removing 
a loop does not add information flow, hence the thus-obtained a' also satisfies 
the prerequisites for a, which is a contradiction to a's minimality. □ 

Theorem B.2. For every security definition that is at least as strict as 
information- flow- security and at least as permissive as interference-security, the 
problem to determine whether a given system is insecure is NP-hard under <J°^- 
reductions. 
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We reduce from the 3-colorability 
problem for graphs. Let a graph G 
with vertices iti , . . . , m„ and edges 
{v\,vl), . . . ,{v^ ,v^) be given. We 
construct a system M'^ as follows: 

— for each vertex u, there is an 
agent u with actions u=oi u^i, 
and w=2, and there are agents 
u/o, u^i, u^2, each having ex- 
actly one action, which for sim- 
plicity we denote with the agent's 
name. Additionally, there is an 
agent h with a single action h, 
and an agent L with a single ac- 
tion L. 

— for each vertex u, we construct 
a subsystem C{u) (see Figure [O]), 
that models the choice of color- 
ing of u in the graph. In C (u) and 
all following systems, all transi- 
tions that are not explicitly indicated in the graphical representation loop 
in the corresponding state. 




Fig. 9. System C{u) 



— for each edge (u, v), we construct a subsystem E{u, v) (see Figure 11 ), which 
enforces that the colors of u and v must be different. The edges labelled with 
a transition of the form u^ij represent two consecutive edges, the first one 
with the transition w^^, and the second one labelled with the transition w^j, 
where the policy is repeated between the two transitions. 

— the system M'^ is now designed as shown in Figure 10 We denote the left- 
most state with sq. The unlabelled arrows between the different C{u) and 
E{u, t;)-nodes express that the final node of one is the starting node of the 
other. The subsystems C"(w) and E'{u,v) are defined in the same way as 
C{u) and E(u, v), except that here, in all states we have policies that allow 
interference between any two agents. With last, we denote the final state of 
i?(w™, V™), and with last', the final state of E'{v^, w™). We define the obser- 
vation functions as follows: obs^ (Zasi') = 1, and for all other combinations 
of agent u and state s, obs„(s) — 0. 

The main property of M'~^ is that it is possible to find a path ha from sq to 
last that does not transmit /i to i if and only if G is 3-colorable: 



Definition B.3. 

So • ha = last. 



A path ha is hiding, if dom{h) ^ disources(/ia, L, Sg), and 



Intuitively, the subsystem C{u) forces the agent u to "choose" a color i G 
{0, 1, 2}, by performing the action u=i. For each edge (u, v) or (u, u) in which u is 
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Fig. 10. Complete system M' 



involved, the agent u later repeats the same transition in the subsystem E{u, v) 
(or E{v,u}). These systems ensure that no two agents that are connected with 
an edge can choose the same color — if they do, then a dead-end is reached. To 
ensure that agents are consistent in their choice of colors (i.e., choose the same 
color in later ^^(u, t;)-systems as in the C{u) system, and consequently chooses 
the same color for each E{u, i;)-system), we use the following construction: When 
agent u chooses color i in C{u), the agent u^i "receives" interference from h. If 
the agent u later claims to have a color different from i, then the only available 
path is one that allows an interference between u^ti and L, which transmits the 
information about h to L. 

Lemma B.4. There is a hiding path if and only if M'^ is 3-colarable. 

Proof. First assume that G is 3-colorable, hence let c: {wi, . . . , {0, 1, 2} 

be a coloring function such that for all edges (w,, v) G E, we have that c{u) ^ c{v). 
We construct the path aa as the unique path from s^-aXo last that starts with L, 
does not use loops in any state, and where each agent u chooses the action 
whenever the current state has more than one non-looping actions. Since c is a 
3-coloring, this path does not hit a dead-end in any of the E{u, s)-systems, and in 
particular, reaches the state last. Due to the construction of the path, whenever 
a transaction is performed, the action u^i has never been performed on the 
path, and thus u^i has not received h. Hence none of the agents interfering with 
L has received the action h, and thus dom(/i) ^ disources(aa, L, so), i.e., aa is 
hiding. 

For the other direction, assume that there is a hiding path aa. Without loss 
of generality, we can assume that aa does not use any actions that loop in the 
current state. Since aa is hiding, we know that Sq - aa = last, in particular, every 
subsystem C(u) and E(u,v) is passed when following aa from sq. We can thus 
define a coloring c: {wi, . . . , u„} {0, 1, 2} by c{u) = i, where i is the unique 
value such that at the start of C{u), the action u=i is performed by u. We claim 
that this is a 3-coloring of G. 

For this, first observe that on aa, no action w=j is performed for j ^ c(w): 
Due to the above, no looping action is performed. Now observe that after the 
performance of u=c(u) in G{u), the agent u^c(u) has received the ft,-event. Now 
after a later performance of the action w=j , every path that proceeds to last uses 
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a transition u^c{u) in a- state where u^c{u) ^ L, which is a contradiction to the 
assumption that ha is hiding. 

We now show that for each edge {u,v) of G, we have that c{u) ^ c{v). 
Since aa is hiding, aa passes through the subsystem E(u, v). Due to the above, 
in this subsystems the actions u^c{u) ^^nd w=c(u) a-re performed at the relevant 
states. If c{u) and c{v) were equal, this would reach a dead-end state, which is 
a contradiction, as aa is hiding, and hence sq ■ aa = last. □ 

bmce can clearly be constructed from G in logarithmic space, the fol- 
lowing lemma now proves Theorem |B.2[ 



Lemma B.5. — If G is 3-colorable, then is not information- flow-secure 
(and hence not secure with respect to the definition under consideration), 
— If G is not 3-colorable, then M'^ is interference-secure (and hence secure 
with respect to the definition under consideration) . 



Proof. First assume that G is 3-colorable. By Lemma p3.4[ there is a hiding path 
ha. In particular, sq • ha — last. Since the action h loops in the state Sq • /i, we 
can without loss of generality assume that a does not start with h, and hence 
Sq ■ a = last' . Since ha is hiding, we know that dom(/i) ^ disources(/iQ!, i, sq). 
Since in sqj there is no outgoing edge from h, we also know that dom(ft,)|° D 
disources(Q!, L, So) = 0. Since ohsL{last) ^ obsi(Zasi'), it follows that the M'^ 
is not information-flow-secure. 

Now assume that G is not 3-colorable, and indirectly assume that M'^ is 
not interference-secure. Since L is the only agent whose observation function is 
not constant, this implies that there is a state s, an action a, and a sequence a 
such that dom(a) ^ disources(aQ;, L, s) and obsL(s • aa) 7^ obsi(s • a). Since 
last' is the only state with an observation different from 0, we know that last' € 
{s ■ aa, s ■ a}. In particular, s is an ancestor of last' in M^. Since dom(a) ^ 
disources(aa, L, s), we know that in particular, dom(a) >/^s L. Since the only 
ancestor state of last' in which the information-flow policy is not the complete 
relation is Sq, we know that s = Sq. Since in sq, all agents except for h may 
interfere with L, we also know that a — h. Since SQ-ha 7^ last' for any a, we know 
that So ■ a = last' . From the design of M*^, it follows that sq ■ ha = last. Since 



h ^ disources(ft,a, L, So), it follows that ha is hiding, and thus Lemma B.4 



implies that G is 3-colorable as required. □ 



B . 6 Proof of Corollary [sTT] 

Proof. It clearly suffices to provide an FPT algorithm. Such an algorithm can 
be obtained by the standard dynamic programming approach, by first creat- 
ing a table with an entry for every choice s, t and D' , that indicates whether 
■s ^D' t has already been established. The size of the table is 2l^l • l^l^ Now 
initialize the table with \S\ ■ \A\ operations (using the dLR'^^^property), and 
use the dSC^^^condition to add entries to the table until no changes are per- 
formed anymore. Then the condition dOC^'^can be verified by checking, for each 
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Fig. 11. Subsystem E{u,v) 
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agent m, and each set D' for which u E D' , whether for all s t, we have 
obs„(s) = obs,j(t). For each choice of u and D', this requires \S\^ accesses to the 
table. Since the access to the table can be implemented in time 21-^1 • poly|M|, 
this completes the proof. □ 

B.7 Proof of Proposition [5T9] 

Proof. First assume that M is secure with respect to the transitive definition, 
and let dom(a) ^ disources(aa, u, s), In particular, it follows that dom(a) >As u. 
Since M is secure, it follows that obs„(s • aa) — obs„(s • a) (note that this 
direction is true in every system). 

Now assume that M is secure with respect to the intransitive definition, and 
let dom(a) >As u, and let a be an arbitrary action sequence. Since M is essentially 
transitive and dom(a) >As u, we know that dom(a) ^ disources(aQ;, w, s). Since 
M is secure with respect to the intransitive definition, it follows that obs„(s • 
aa) = obs,i(a • a) as required. □ 

B.8 Proof of Theorem \5A2\ 

Proof. 1. Clearly, if M is not dIP-secure with respect to {^s)seSj then M is 
also not dIP-secure with respect to {>~f'g)ses- Using induction, we can assume 
that (^g)sgs arose from (^s)seS by removing a single redundant edge e. 
Assume that M is not dIP-secure with respect to {>^'g)s£S- Hence there are 
a Cz A, ainA* , s G S, u £ D such that dom(a) ^ disources(aa, u, s) (with 
respect to (^s)ses) and obs„(s • aa) 7^ obs„(s • a). Since M is dIP-secure, 
we know that dom(a) e disources(aa, w, s) (with respect to {^s)si£s)- In 
particular, we know that s ■ aa >Ati s • a. It follows that e is not redundant, 
a contradiction. 

2. For all agents u and all states s, define obs^ (s) — [s]^^, , i.e., the equivalence 
class of s with respect to ^„ (where ~„ refers to the original system M). 
The system N is dIP-secure, since M is dIP-secure. Since e is not redundant, 
there exist a, a, s, u such that s ■ aa s ■ a, and dom(a) ^ dsrc^^ (aa, u, s) 
(with respect to the policy {>-^'^)s^s- Since obs^ (s • aa) — [s ■ aa]^^ ^ 
[s • a]^^ = obs^ (s • a), it follows that N is not dIP-secure. 

3. It easily follows from the definition that if (^g)sgs is obtained from (>-^s 

by removing a set E of edges that are redundant in {^s)ses, then a 
remaining edge is redundant in (^(,)<,g5 if and only if it is redundant in 
(^s)ses'- The reason for this is that removing redundant edges does not 
change the relation 

□ 

B.9 Proof of Theorem 

The proof of this theorem, since it highlights an interesting difference be- 
tween static and dynamic intransitive noninterference: It can easily be shown 
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(see lEvdMSWlT] ) that if a system is not IP -secure, then there exist a "wit- 
ness" for the insecurity consisting of a state s, an agent u, an action a, and a 
sequence a such that 

1. dom(a) ^ sources(aQ;, m) and obs„(s • aa) ^ obs„(s • a) (i.e., these values 
demonstrate insecurity of the system), and 

2. a contains no b with dom(a) ^ dom(6). 

Intuitively, this means that to verify insecurity, it suffices to consider se- 
quences in which the "secret" action a is not transmitted even one step. 
This feature is crucuial for the polynomial-time algorithm to verify IP-security 
in |EvdMSWll| . In the dynamic setting, the situation is different, the above- 
mentioned property does not hold. This is in fact the key reason why no "small" 
unwinding for dIP-security exists, and why the verification problem is NP-hard. 
However, in systems with a uniform policy, we again can prove an analogous 
property, even though the proof is more complicated than for the static setting: 

Lemma B.6. Let M be a system with a policy that is intransitively uniform. 
Then M is interference-insecure if and only if there are a, u, s, and a with 
dom(a) ^ disources(aQ!, M, s), obs„(s • a) 7^ ohSu{s ■ aa), and no b with 
doiii(a) >-^s dom(6) appears in a. 

Proof. Clearly if such a, m, s, and a exist, then the system is not dIP-secure. For 
the converse, let a be of minimal length such that there exist tt, s, and a with 
dom(a) ^ disources(aa, u, s) and obs„(s • aa) 7^ obs„(a • a). Indirectly assume 
that a = pbp' for some b with dom(a) dom(6). We consider three cases. 

— Assume obs„(s • ajSbji') ^ dbsu{s ■ a/3 (5'). Note that dom(6) ^ 
disources(6/3', It, s • a/3). Hence choosing s' — s ■ af3, a' = b, and a' = /3' is 
a contradiction to the minimality of a. 

— Assume obs„(s • /36/3') 7^ obSi,(s • /3/3'). To show that this again is a con- 
tradiction to the minimality of a (starting in the state s • /3), it suffices to 
show that dom(5) ^ disources(6/3', w, s • /3). Hence indirectly assume that 
dom(6) £ disources(6/?', w, s • /3), and let 7 be a minimal prefix of b/3' such 
that there is some agent v with 

• dom(&) G disources(7, v, s ■ /3), 

• dom(a) ^ disources(a/?7, f , s). 

Since choosing v — u and 7 = /3' satisfies these conditions, such a minimal 
7 exists. Again, consider the point where v "learns" that a was performed, 
i.e., let 7 ttctt' with 

• dom(6) G disources(7r, dom(c), s • /3), and 

• dom(c) ^s-l3n V- 

Since dom(a) ^ disources(a-/37, u, s), and tt is a prefix of 7, the prerequisites 
ot the lemma imply that f J.^^^ — ^1,^^, in particular, dom(c) ^s-a/3TT f • Since 
dom(a) ^ disources(a/37, w, s), this implies 

dom(a) ^ disources(a/37r, dom(c), s), 

hence we have a contradiction to the minimality of 7. 
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— Assume obs„(s • afihP') — obs„(s • a/3/3') and obs„(s • (ibfi') — obs„(s • j3j5'). 
Since obs.u(.s • a(5bf3') ^ obs„(s • (3bP'), this implies obs„(s • a/3/3') ^ obs„(s • 
/3/3'). To obtain a contradiction to the minimahty of a, it suffices to show 
that dom(a) ^ disources(a/3^', u, s). Hence indirectly assume that doiii(a) e 
disources (a/3/3', u, s), and let 7 be a minimal prefix of 13' such that there is 
an agent v with 

• doiii(a) ^ disources(a/367, w, s), and 

• doin(a) G disources(a/37, f , ,s). 

Since choosing v = u and 7 = /3' satisfies these conditions, such a minimal 
7 exists. Now consider the step where v "learns" a, which clearly happens 
inside 7 (as doin(a) ^ disources(a/367, w, s)). Hence 7 = ttctt' with 

• dom(a) G disources(a/37r, doiii(c), s), and 

• dom(c) ^s-a^TT V. 

Since doiii(a) ^ disources(a/3&7, w, s), wc have dom(6) ^ disources(&7, t;, s • 
a/3). Since tt is a prefix of 7, this implies dom(6) ^ disources(67r, ti, s • a/3). 
The conditions of the lemma this imply that vl.^^i^^ = vl,^^^. In particular, 
this implies dom(c) ^s-ai3biT "V- Since dom(a) ^ disources(a/3&7, f , s), this 
implies dom(a) ^ disources(a/367r, dom(c), s), which is a contradiction to the 
minimality of 7. 

□ 

Wc now show a similar fact which allows us to easily verify whether a policy 
is intransitively uniform: To veriiy uniformity, it again suffices to consider action 
sequences in which the "secret" action is not even transmitted a single step. This 
is shown in the following Lemma: 

Lemma B.7. If a policy for a system is not intransitively uniform, there is an 
agent u, an action a, a sequence a, and a state s such that 

1. dom(a) ^ disources(aa, u, s), 

and contains no h with dom(a) doin(&). 

Proof. Choose u, a, s, and a such that \a\ is minimal, and indirectly assume 
that a = /36^' for some sequences (3 and /3', where dom(o) doin(6). Note that 
this implies 

dom(6) ^ disources(6/3',u, s ■ a/3), 
which we will use throughout the proof. We consider three cases: 

— Assume that W^^pi^p, ^ u^app" choose s' = s ■ a^, a' = b, and a' = /3'. 
This is a contradiction to the minimality of a, since \a'\ < |/3'|. 

— Assume that u^^i^^, ^ '^^p^'- We choose s' = s ■ j3, a' = b, and a = j3' 
and obtain a contradiction in the same way as in the above case. For this, 
it suffices to prove that dom(6) ^ disources(6/3', m. s • /3). Hence assume 
indirectly that doin(&) G disources(6/3', w, s • /3). Let 7 be a minimal prefix 
of 6/3' such that there is an agent v with 
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• dom(6) G disources(7, v, s ■ 

• dom(a) ^ disources(a/37, s). 

Since 7 = bf3' and v = u satisfies these conditions, such a minimal choice of 7 
and V exists. Now consider the position where v "learns" b, i.e., let 7 = ttctt' 
such that the action c transmits the 6-action to v, i.e., we have that 

• dom(6) e disources(7r, dom(c), s • 

• dom(c) >-^s-/37r V. 

Note that tt is a proper prefix of 7. Since dom(a) ^ disources(a/37, w, s), it 
follows that dom(a) ^ disources(a/37r, v, s). Hence we know by the minimal- 
ity of a that fj.^^ — vl,^p^, In particular, dom(c) ^-^s-ap-R v. We now have 
the following: 

• Due to the above, we know that dom(6) € disources(7r, dom(c), s ■ f3), 

• since dom(a) ^ disources(a/37, w, s), we know that dom(a) ^ 
disources(a/37r, dom(c), s). 

Since tt is a proper prefix of 7, this is a contradiction to the minimality of 7. 
- Assume that W^T^^^^, = u';:^^^, and u';:^^^, = m;:^^,. Since u'^^^^p, m^;;,,,^,, 
it then follows that u^^^p, 7^ u^^p,. It suffices to show that dom(a) ^ 
disources(a/3/3', M, s), we then have a contradiction to the minimality of 
a. Hence indirectly assume that dom(a) G disources(a/3/3', m, s). Let 7 be a 
minimal prefix of /?' such that there is some v such that 

• dom(a) ^ disources(a/367, w, s), 

• dom(a) G disources(a/37, f , s). 

Since 7 = /?' and v — u satisfy these conditions, such a minimal choice 
exists. Similarly as before, look at the action where a is forwared to w, i.e., 
let 7 = ttctt' such that 

• dom(a) G disources(a/3TT, dom(c), s), 

• dom(c) ^s-afi-n V. 

Since dom(a) ^ disources(a/3&7, w, s) and doin(a) >~fs doiii(6), it follows that 
dom(6) ^ disources(67, w, s-a/3). Since tt is a prefix of 7, this implies dom(6) ^ 
disources(67T, w, s • af3). The minimality of a implies that ^J.^^f^r ~ ^l a/j-n-' 
in particular, dom(c) ^s-apb-w '>^- Since doin(a) ^ disources(a/3&7, w, s), we 
obtain 

• dom(a) ^ disources(a/36Tr, doin(c), s), 

• from the above, we know that dom(a) G disources(a/3TT, dom(c), s). 
This contradicts the minimality of 7, since tt is a proper prefix of 7. 

□ 

Using these lemmas, we can now prove Theorem |5.15| 

Proof. 1. First assume that there is a uniform dynamic intransitive unwind- 
ing satisfying uPC^^^, uSC^^^, and uLR^^^, and indirectly assume that the 
policy is not intransitively uniform. Due to Lemma |B.7[ there exist a, u, s, 
and a such that dom(a) ^ disources(aa, m, s), u"^^^ 7^ w^oj ^^'^ ^ does 
not contain any h with dom(a) dom(&). Let v = dom(a). Let ^^'^ be an 
equivalence relation satisfying uPC^^^, uSC^^^, and uLR'^^^. It suffices to 
show that s • aa ~f;'' s • a to obtain a contradiction to uPC^^^. 
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Clearly, dom(a) u, hence uLR*^^^ implies s r^u'^°''^°'' s ■ a, i.e., s^'"s • a. 
Note that for all a' appearing in a, we have that dom(a) >As dom(a'). Hence 
applying uSC^^^ for each a', we obtain s ■ aa s • a as required. 
For the converse, assume that for all dom(a) ^ disources(aa, m, s), we have 
that ul^jjQ, = u^ct, and let sq be a state, and let v and u be agents. We define 

s t iff for all sequences a that contain no b with v 

dom(6), we have m^^, = u^. 

Clearly, ^H^''" is an equivalence relation and satisfies uPC^^^ (choose a = e). 
For showing uSC^^^, let s t, and let v >Aso dom(a). To show the 

required condition s ■ a t ■ a, let a be a sequence containing no b with 

V >— >so Since v >As(, dom(a), the sequence aa satisfies the same condition, 
and hence from s t, it follows that u^^^ = v^.aa as required. 

Finally, consider uLR*^^^. Let dom(a) u. To show that s ^^''*°'°('^) g . 
let a be such that no b with dom(a) dom(6) appears in a, we need to 
show that = w^aa- This follows from the prerequites, since clearly, 

dom(a) ^ disources(aa, w, s). 
2. (a) Assume that the system is noninterference-secure, let sq be a state, and 
let V and u be agents. We define: 

s i iff for all sequences a that contain no b with w 
dom(6), we have obs„(s • a) ~ obs„(t • a). 

Clearly, is an equivalence relation and satisfies uOC^^^ (choose a = 
e). For showing uSC^^^, let s -^O'" t, and let a e A with v -^^0 doin(a). 
We need to show that for all a containing no b with v >-^so dom(6), we 
have obs„(s • aa) = obs„(t • aa). This trivially follows from s t, 
since a' = aa also does not contain a b with v dom(6). 
Finally, consider uLR'^'^^. Let dom(a) u. We need to show that 

s ^^'^"""("^ g . a_ Hence let a be a sequence containing no b with 
dom(a) >—fs dom(fe). We need to show that obsK(s • a) = obSi,(s • aa). 
Since the system is noninterference-secure, it suffices to show that 
dom(a) ^ disources(aQ;, M, s). This follows trivially since dom(a) >As 
and a does not contain any b with dom(a) dom(6). 
(b) Assume that the system is not dIP-secure. Due to Lemma |B.6[ there 
is a state s, an agent u, an action a and a sequence a with dom(a) ^ 
disources(aa, M, s), obs„(s • aa) 7^ obSu(s • a), and a does not contain 
any b with dom(a) dom(6). Let v = dom(a), and let ^f^" be an equiva- 
lence relation on 5* that satisfies uOC^^^, uSC^^^, and uLR*^^^. It suffices 
to show that sa ^^^^ s ■ aa. Clearly we have that v >As u. Therefore, (re- 
call that V — dom(a)), uLR'*'^ implies s ^^'^ s ■ a. Note that for all b G a, 
we have that dom(a) >/~*s dom(&). Hence applying uSC^^^ repeatedly, we 
obtain s ■ aa s ■ a, which completes the proof. 

□ 
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